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(54) Remote idendity verification technique using a personal identification device 



(57) Apparatus, and a method for its use, for auto- 
matically verifying the identity of a person seeking 
access to a protected property that is remotely located 
with respect to the apparatus, such as a remotely 
located computer file or building alarm system. The 
apparatus, which is disclosed in the form of a handheld 
device (14) or other portable device (14*), includes a 
sensor (16) for reading biometric data, such as a finger- 
print image, from the person, and a correlator (28) for 
comparing the sensed data with a previously stored ref- 
erence image (32) and for determining whether there is 
a match. If there is a match, the device (14) initiates an 
exchange of signals over a communication network, 
with the "door" (10) that protects the property. Specifi- 
cally, the device (14) generates a numerical value, such 
as a cyclic redundancy code, from the stored reference 
image (32), encrypts the numerical value, and transmits 
it to the door (10) as confirmation of the person's iden- 
tity. For further security, the person registers this numer- 
ical value at each door (10) to which access is desired. 
Upon receipt of identity confirmation from the device 
(14), the door (10) compares the received numerical 
value with the one stored during registration, before 
granting access to the protected property. 




-18 



ftt 



COMMUN. I KT*C^ 
INTERFACE ' ^ 



-19 



17 



COMMUNICATION 




COMMUN. 




NETWORK 




INTERFACE 












SERVER OR 
MAINFRAME 
COMPUTER 



FIG. 1B 



Primed by Xerox (UK) Business Services 
2.16.7/3.6 



1 



EP0 924 657 A2 



2 



Description 

BACKGROUND OF THE INVENTION 

[0001 ] The present invention relates generally to per- 
sonal identification or verification systems and, more 
particularly, to systems that automatically verify a per- 
son's identity before granting access to valuable infor- 
mation or granting the ability to perform various 
transactions remotely. Traditionally, keys and locks, or 
combination locks, have been used to limit access to 
property, on the theory that only persons with a right to 
access the property will have the required key or combi- 
nation. This traditional approach is, of course, still 
widely used to limit access to a variety of enclosed 
spaces, including rooms, buildings, automobiles and 
safe deposit boxes in banks. In recent years, mechani- 
cal locks have been supplanted by electronic ones actu- 
ated by encoded plastic cards, as used, for example, for 
access to hotel room doors, or to bank automatic teller 
machines (ATMs). In the latter case, the user of the 
plastic card as a "key" to a bank account must also sup- 
ply a personal identification number (PIN) before 
access is granted. 

[0002] A significantly different problem is presented 
when someone seeks access to information remotely, 
such as by telephone or through some other type of 
communication network. Telephone verification of iden- 
tity is typically accomplished using passwords, personal 
identification numbers (PINs), or words of which only a 
limited number of people have knowledge. Banks fre- 
quently use the customer's mother's maiden name as 
an access code, sometimes coupled with other codes or 
numbers theoretically known only to the customer. 
There are many practical shortcomings to this 
approach, the most obvious of which is that any of these 
codes or secret words can be stolen, lost or fall into the 
wrong hands by other means. Security may be 
increased by encoding identity data into magnetic 
stripes on plastic identification cards, which are used in 
conjunction with telephones that have appropriate card 
readers. The use of "smart cards" containing even more 
information on an integrated-circuit chip has also been 
proposed, but these approaches also have the draw- 
back that the identity cards may be lost or stolen. 
[0003] Accordingly, there is a widely felt need for a 
more reliable technique for providing secure access to 
information and assets, particularly for users who seek 
this access over a communication system of some kind. 
Ideally, the technique should positively verify the identity 
of the person seeking remote access, and should elimi- 
nate the need to carry multiple scannable cards, and the 
need to memorize combinations, passwords and PINs. 
The present invention satisfies this need. 

SUMMARY OF THE INVENTION 

[0004] The present invention resides in apparatus, 



and a method for its use, for automatically verifying the 
identity of a person seeking remote access to a pro- 
tected property. The protected property may take a vari- 
ety of forms, but typically includes a remotely located 

5 computer to which a user seeks access for reading or 
writing information. Alternatively, the protected property 
may be a building or other structure and the user wishes 
to activate or deactivate an alarm system in the building. 
[0005] Briefly, and in general terms, the apparatus of 

10 the present invention comprises a personal identifica- 
tion device and means for securely communicating 
identity confirmation to a door that provides access to 
the protected property upon receipt of the identity con- 
firmation. The personal identification device includes a 

15 sensor, for reading biometric data identifying a person 
seeking access to a protected property, storage means, 
for storing reference biometric data identifying a person 
authorized to have access to the protected property, 
and a correlator, for comparing the stored reference bio- 

20 metric data with the biometric data of the person seek- 
ing access and determining whether they match. The 
apparatus may further comprise a user interface having 
a first switch to initiate operation of the apparatus in a 
verification mode, and a second switch, actuation of 

25 which places the apparatus in an enroll mode of opera- 
tion, wherein biometric data from the sensor are stored 
in the storage means for subsequent retrieval in the ver- 
ification mode of operation. 

[0006] In one of the disclosed embodiments of the 

30 invention, the sensor, the storage means and the corre- 
lator are all integrated into a portable communication 
device, such as a telephone, which may be a device car- 
ried by the person, or some other type of communica- 
tion device remote from the protected property. In the 

35 disclosed embodiments, the means for securely com- 
municating identity confirmation includes means for 
generating a numerical value from the stored reference 
biometric data; encryption logic, for encrypting the 
numerical value; and a communication interface for 

40 sending the encrypted numerical value to the door, 
together with identification data for the person. The door 
provides the desired access to the protected property 
upon confirming that the transmitted numerical value is 
the same as one previously provided by the person dur- 

45 ing a registration procedure. 

[0007] The apparatus of the invention may further 
include a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door, and means for 
storing a private encryption key in the identification 

so device. Further, the encryption logic in the device 
includes means for doubly encrypting the numerical 
value using the encryption key received from the door 
and the private encryption key. 
[0008] The apparatus of the invention may also be 

55 defined as a separate device that includes a sensor, for 
reading fingerprint data identifying a user seeking 
access to a protected property; a memory for storing a 
reference fingerprint image of the user during an enroll- 
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ment procedure and lor holding the reference image for 
future use; an image correlator, for comparing the 
stored reference image with a fingerprint image of the 
user seeking access, as obtained from the sensor, and 
for determining whether the two images match; and 5 
means for securely communicating identity confirmation 
to a door that provides access to the protected property 
upon receipt of the identity confirmation. More specifi- 
cally, the means for securely communicating identity 
confirmation includes means for generating a numerical w 
value from the stored reference fingerprint image; 
encryption logic, for encrypting the numerical value; and 
a transmitter for sending the encrypted numerical value 
to the door, together with user identification data. The 
door provides the desired access to the protected prop- 75 
erty upon confirming that the transmitted numerical 
value is the same as one previously provided by the 
user during a registration procedure. 
[0009] In the personal identification device as defined 
in the previous paragraph, the means for generating a 20 
numerical value includes means for generating a cyclic 
redundancy code from the stored reference fingerprint 
image. The device further includes a receiver, for receiv- 
ing an encryption key generated by and transmitted 
from the door; and means for storing a private encryp- 25 
tion key in the device. The encryption logic in the device 
includes means for doubly encrypting the numerical 
value using the encryption key received from the door 
and the private encryption key. 

[0010] In terms of a novel method for automatically 30 
verifying the identity of user seeking access to a 
remotely located, protected computer, the invention 
comprises the steps of sensing biometric data of a user, 
through a sensor that is part of a personal identification 
device carried by the user; comparing the sensed bio- 35 
metric data with reference biometric data previously 
stored in the personal identification device; determining 
whether the sensed biometric data match the reference 
biometric data; if there is a match, securely communi- 
cating, through a communication network, an identity 40 
confirmation to a door that controls access to the pro- 
tected computer; and upon confirmation of the identity 
of the user at the door, providing the desired access to 
the protected computer. The method further comprises 
the step of initiating normal operation of the personal 45 
identification device by means of a manual switch. 
[001 1 ] In one embodiment of the method, the step of 
securely communicating includes generating a numeri- 
cal value from the stored reference biometric data; 
encrypting the numerical value; transmitting the 50 
encrypted numerical value to the door; transmitting user 
identification data to the door; receiving and decrypting 
the encrypted numerical value at the door; comparing 
the decrypted numerical value with one previously 
stored at the door by the user during a registration proc- 55 
ess, to confirm the identity of the user; and if the identity 
of the user is confirmed, activating a desired function to 
provide access to the protected property. 



[001 2] More specifically, the step of securely commu- 
nicating further comprises the steps of generating at the 
door a random pair of door public and private encryption 
keys; transmitting the door public key to the personal 
identification device; selecting for the personal identifi- 
cation device a pair of public and private encryption 
keys for all subsequent uses of the device; providing the 
personal identification device public key to the door as 
part of the door registration process; and storing the 
personal identification device private key secretly in the 
device. The encrypting step includes doubly encrypting 
the numerical value with the door public key and the 
personal identification device private key. The method 
further includes the step, performed at the door, of 
decrypting the doubly encrypted numerical value using 
the personal identification device public key and the 
door private key. 

[001 3] The invention may also be defined as a method 
for a user to obtain access to a remotely located and 
protected computer, the method including the steps of 
placing a finer on a fingerprint sensor in a device; actu- 
ating the device to sense and record a fingerprint of the 
user; comparing the sensed fingerprint with reference 
fingerprint data previously stored in the device; trans- 
mitting, upon a successful comparison, an identity con- 
firmation from the device and over a communication 
network to the protected computer; and providing 
requested access to the protected computer upon 
receipt of an identity confirmation. The step of transmit- 
ting an identity confirmation ideally includes encrypting 
the identity confirmation in the device and decrypting 
the identity confirmation in the protected computer. 
More specifically, encrypting in the device includes dou- 
bly encrypting using a public encryption key received 
from the protected computer and a private encryption 
key stored in the device, and decrypting includes doubly 
decrypting using a public key provided by the device 
user and a private encryption key generated in the com- 
puter. 

[0014] It will be appreciated from the foregoing that 
the present invention represents a significant advance 
in providing secure access to remotely located comput- 
ers or similar protected properties. More particularly, the 
invention allows multiple properties or assets to be 
accessed remotely using a security device, which relia- 
bly identifies its owner using biometric data, such as a 
fingerprint. Because identification is verified in a small 
portable device, communication with multiple "doors" to 
protected property can be limited to a simple identity 
confirmation message, appropriately encrypted to pre- 
vent eavesdropping or reverse engineering. Other 
aspects and advantages of the invention will become 
apparent from the following more detailed description, 
taken in conjunction with the accompanying drawings. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
[0015] 

FIG. 1A is a diagram illustrating an application of 
the invention, wherein a personal identification 
device integrated into a cellular telephone is used to 
open a door remotely, through a communication 
network; 

FIG. 1B is a block diagram showing the use of a 
personal identification device in conjunction with a 
portable computer, to gain access to a remotely 
located computer; 

FIG. 2 is a block diagram depicting the principal 
components of the present invention; 
FIG. 3 is a more detailed block diagram showing the 
components of a processor module shown in FIG. 
2; and 

FIG. 4 is a block diagram showing a sequence of 
signals transmitted between the portable device 
and a door to protected property. 

DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

[001 6] As shown in the drawings for purposes of illus- 
tration, the present invention pertains to a system for 
automatic verification of the identity of a person seeking 
remote access to protected property, over a communi- 
cation network. Traditionally, remote access to pro- 
tected property has been controlled with the use of 
passwords, codes and similar devices. 
[0017] In accordance with the present invention, the 
person seeking access to protected property carries a 
portable identification device that includes a sensor 
capable of obtaining selected biometric measurements 
associated with the person, and communicating with a 
related device located near the "door" of the protected 
property. Preferably, the portable device also includes 
identity verification means, which compares the biomet- 
ric measurements obtained from the sensor with corre- 
sponding measurements stored in a reference set of 
biometric measurements that were obtained from the 
same person during an enrollment procedure per- 
formed earlier. 

[0018] FIG. 1A shows diagrammatically how the 
invention is used to open a "door," indicated by refer- 
ence numeral 10, to protected property. A person seek- 
i ng entry to the door 1 0 carries a small handheld device, 
which may be integrated into a cellular telephone 14' or 
may take the form of a separate device 1 4 (FIG. 1 B). It 
will be understood, however, that the handheld device 
could be integrated into other types of communication 
terminals. The telephone 14' communicates with a 
receiver 15 located near the door 10. In the presently 
preferred embodiment of the invention, the telephone 
14' includes a biometric sensor, which, in the presently 
preferred embodiment of the invention, is a fingerprint 



sensor 16. It will be understood, however, that the prin- 
ciples of the invention are also applicable to a device 
that employs other biometric properties to identify the 
user, such as print patterns from other parts of the anat- 

5 omy, or iris patterns of the eye. 

[0019] The telephone 14' communicates with the 
receiver 15 through a communication network 17 and a 
communication interface 18 located near the door 10. 
The interface 18 may be, for example, a telephone. FIG. 

10 1B shows how the fingerprint sensor 16 may be con- 
nected to a laptop computer 19. When the user wishes 
to access information in a remotely located computer, 
referred to as 10' because it embodies another form of 
a "door," the user connects the sensor 16 to the laptop 

is computer 19, effects a connection to the computer 10' 
through the communication network 17 and communi- 
cation interface 18, and then is identified by means of 
the sensor. 

[0020] When the user places a finger over the sensor 

20 16 and actuates a switch, the person's fingerprint is 
scanned and is compared with a reference fingerprint 
image stored in the device 14 or 14', which includes a 
fingerprint correlator (not shown in FIGS. 1 A and 1 B) for 
this purpose. If the comparison results in a match, the 

25 device 14/14* transmits a confirming message to the 
door 10, or the computer 10'. The door 10 is opened to 
allow access by the user 1 2, or the computer 10* is con- 
ditioned to permit data access by the user. 
[0021] The nature of the confirming message sent to 

30 the door 10 or the computer 10' is of considerable 
importance, because a simple "OK" or "open" signal in 
a standardized format would be easy to duplicate in a 
"cloning" process, and unauthorized access would be a 
relatively simple matter. The confirming message 

35 should ideally be in the same format for different access 
"doors," but should be encoded or encrypted in a way 
that prevents its duplication and prevents reverse engi- 
neering of the device 14. Details of one technique for 
accomplishing these goals are provided below. 

40 [0022] FIG. 2 shows the principal components of the 
device 14, including the fingerprint sensor 16, a proces- 
sor module 20, a transceiver 22 and a battery power 
supply 24. It will be understood that the same compo- 
nents may be integrated into another device, such as 

45 the cellular telephone 14', and that the battery power 
supply 24 may be integrated with the telephone battery. 
The fingerprint sensor 16 may be of any available 
design, and may include a capacitive, optical or other 
sensor. The sensor 16 produces a binary or grayscale 

so image of a portion of the user's fingerprint- For rapid 
processing, the entire image may not be used in the 
comparison process that follows, but what the sensor 1 6 
provides is a detailed "map" of the fingerprint, including 
all of its ridges and valleys. The processor module 20 is 

55 shown in more detail in FIG. 3. 

[0023] The processor module 20 includes a processor 
26, which may be, for example a RISC (reduced instruc- 
tion set computer) processor, a fingerprint matcher, 
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which is a feature correlator 28 in the preferred embod- 
iment of the invention, a cyclic redundancy code (CRC) 
generator 30, storage 32 for a reference fingerprint 
image, encryption logic 34 and storage 36 for a private 
encryption key. The device 14 also includes a user inter- 
face 38 through which the user 12 initiates operation in 
various modes. Basically, the user interface 38 includes 
one main operating button, which may be incorporated 
into the fingerprint sensor 16, and at least one addi- 
tional button to initiate operation in the enrollment 
mode. The principal function of the processor 26 is to 
pre-process and enhance the fingerprint image pro- 
vided by the sensor 16. Pre-processing includes "clean- 
ing" the image, cropping the image to eliminate 
background effects, enhancing contrast in the image, 
and converting the image to a more manageable binary 
form. In the enrollment mode, the pre-processed image 
is stored in the reference image storage area 32, as 
indicated by the broken line 40. Enrollment is performed 
when the user first acquires the device 14, and is nor- 
mally not repeated unless the device is lost or dam- 
aged. For additional security and convenience, the user 
may be asked to enroll two fingerprints, to allow for con- 
tinued access if the user injures a finger, for example. In 
a verification mode of operation, the pre-processed fin- 
gerprint image is input to the correlator 28, as indicated 
by line 43, where it is compared with the reference 
image obtained from storage 32 over line 44. The corre- 
lator 28 uses an appropriate technique to compare the 
images, depending on the level of security desired. 
Because speed of operation is an important factor, a bit- 
by-bit comparison of the entire images is usually not 
performed. Rather, significant features of the reference 
image are identified and the same features are looked 
for in the newly scanned image. The techniques dis- 
closed in U.S. Patent No. 5,067,162 may, for example, 
be incorporated into the correlator 28 for some applica- 
tions of the device 14. Preferably, the fingerprint correla- 
tor 28 should follow the teachings of a co-pending 
patent application entitled "Fingerprint Feature Correla- 
tor," by inventors Bruce W. Evans et al., which is hereby 
incorporated by reference into this specification. As a 
result of the comparison of the images, the correlator 28 
may generate a match signal on line 46, which activates 
the CRC generator 30. If a no-match signal is gener- 
ated, as indicated on line 48, no further processing is 
performed. Optionally, the no-match signal on line 48 
may be used to actuate an indicator on the user inter- 
face 38. 

[0024] The cyclic redundancy code (CRC) generator 
30, when actuated by a match signal on line 46, gener- 
ates a relatively long (such as 128 hits) binary number 
derived from the reference image data. The CRC pro- 
vides a single number that, for all practical purposes, 
uniquely identifies the stored reference fingerprint 
image. Even if two fingerprint images produced the 
same CRC, which is highly unlikely, the security of the 
system of the invention would not be compromised, as 



will shortly become clear. 

[0025] The CRC itself is not stored in the device 14, 
but is transmitted in encrypted form to the door receiver 
15. Before using the device 14 for access to a particular 

s door 1 0 for the first time, the user 1 2 must first "register' 
at the door. The registration process is one in which an 
administrator of the door stores the user's name (or 
account number, or other identifying information), in 
association with a public encryption key to be used in 

10 the user's device 14, and the user's CRC as derived 
from the user's reference fingerprint. If the door 10 pro- 
vides access to a financial institution for example, the 
user will register by bringing his or her device 14 to the 
institution, and transmitting the fingerprint CRC from the 

15 device to the door receiver 15. In the registration mode, 
the door receiver 15 will store the user's CRC in associ- 
ation with the user's name or other identifying informa- 
tion. As part of the registration process, the user 12 will 
normally be required to present some form of identifica- 

20 tion other than the device 14, to prove to the institution 
that the user is, in fact, the one whose name or other 
identifying information is presented and will be stored in 
the door 10. 

[0026] As will now be explained in more detail, in a 

25 subsequent use of the device 1 4 for access to a door 1 0 
at which the user has registered, the device transmits a 
user name and the CRC corresponding to the stored 
reference image. Logic at the door 10 or computer 10' 
then compares the received CRC with the one that was 

30 stored for the named user during registration. If there is 
a match, the door is opened for the user. 
[0027] FIG. 4 shows the communications that pass 
between the personal identification device 14 and a 
door 10, two different forms of which are shown, includ- 

35 ing a computer 10.1 and another type of "door" 10.2, 
such as in a house or other property to which remote 
access is desired. Each door 10 has an actuator 50, to 
perform some desired operation, such as opening the 
door, and each door also has a database 52 in which is 

40 stored the user name, the user device public encryption 
key and the user CRC, for each user registered to use 
the door. For file access to the computer 10.1, the user 
may simply need to access personal data relating to a 
user account in bank or other institution, or may need to 

45 download information from a file in the computer. For 
access to the door 10.2, the user may need, for exam- 
ple, to make sure that an alarm system has been acti- 
vated in a residence or office. 
[0028] When the user actuates the device 1 4, the user 

so name is transmitted to the door 10 in non-encrypted 
form, as indicated by line 54. On receiving the user 
name, the door 10 generates a random pair of public 
and private encryption keys to be used in the ensuing 
exchange of messages. Since public key encryption is 

55 used in this illustrative embodiment of the invention, a 
few words of explanation are called for, but it will be 
understood that the principles of public key encryption 
are well understood in the field of secure communica- 
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tion. 

[0029] In public key encryption, two separate encryp- 
tion keys are used: a "public" key (potentially known to 
everyone and not kept secret), and a "private" key 
(known to only one party in a communication from one s 
party to another). The pair of public-private keys has the 
property that, if either of them is used to encrypt a mes- 
sage, the other one of the pair will decrypt the message. 
For example, party A can send a secure message to 
party B by first encrypting with B's public key. Only B 10 
can decrypt the message, because only B has B's pri- 
vate key needed for decryption. Similarly, B could send 
an encrypted message to A using B's private key for 
encryption. A could decrypt the message with B's public 
key, but so could anyone else, because B's public key 15 
may be known to others. Therefore, the message trans- 
mitted using this "backward" form of public key encryp- 
tion would not be secure. 

[0030] The illustrative embodiment of the present 
invention uses a double encryption form of public key 20 
encryption. Both the device 14 and the door 10 have a 
public-private key pair. As presently contemplated, the 
device 14 of the invention will have a "fixed" public and 
private key pair, that is to say the public and private keys 
will not changed from one use of the device to the next. 25 
The device public key is registered with each door 10 
and it would be impractical to change it for every use. 
The device private key is stored (at 36, FIG. 3) in the 
device 14, preferably in a form in which it cannot be dis- 
cerned by inspection or reverse engineering. The key 30 
may, for ©cample, be encoded into the silicon structure 
of the processor module 20 in such a way that it is prac- 
tically indecipherable by any normal reverse engineer- 
ing technique. Each door 10 generates a new public- 
private key pair on every new use of the door. Thus, 35 
these keys cannot be determined in advance of the 
actual message exchange with a device 14. 
[0031] Upon receipt of a user name from the device 
14, the door 10 to which access is sought generates a 
random pair of public-private keys, and transmits the 40 
public key to the device without encryption, as indicated 
by line 58. Then, if the device 14 has validated the 
user's identification by successfully matching the 
sensed fingerprint image with the reference image, the 
device performs two levels of encryption on the CRC 45 
that is generated. First, the encryption logic 34 in the 
device 14 encrypts the CRC using the door's public key. 
Then the resulting encrypted CRC is doubly encrypted 
using the device's private key. The doubly encrypted 
CRC is transmitted to the door 1 0, where it is decrypted so 
using the device's public key and then using the door's 
private key to recover the CRC. The door 10 then com- 
pares this CRC with the CRC in its database 52 associ- 
ated with the user name seeking access to the door. If 
there is a match, the door 10 signals its actuator 50 to 55 
open the door or to perform some other desired opera- 
tion. 

[0032] It will be appreciated from this description that 



the invention provides an extremely secure technique 
for accessing protected property. The device 14 is 
designed such that is cannot initiate a door opening 
operation without first matching the fingerprint of the 
user with the stored reference image. Even if a device 
thief successfully re-enrolls his own fingerprint into the 
device, the CRCs stored in each of the doors where the 
rightful user is registered would prevent operation of the 
doors by the thief. 

[0033] Someone attempting to fabricate a "cloned" 
device would not have the device private key, so the 
door would be unable to decrypt messages from the 
cloned device. If someone were to eavesdrop on a 
device transmission and try to emulate this message in 
a subsequent attempt to open the same door, this 
approach would be foiled by the door's use of a different 
set of keys for each transaction. Therefore, the device's 
encrypted message to any door will be different on each 
occasion. 

[0034] An additional level of security may be provided 
by storing the CRC at the door 10 in an internally 
encrypted form, to prevent theft of CRCs from doors. 
[0035] If the door 10 is the computer 10.1, and the 
user wishes to download information from the computer, 
this will usually require an additional exchange of mes- 
sages between the device 14 and computer 10.1, to 
establish an appropriate level of security for the transfer 
of from the computer. Techniques for effecting secure 
data transmission may include the exchange of mes- 
sages to establish a session encryption key for the 
transmission, or an encryption key may have been pre- 
viously established for this purpose. 
[0036] It will be understood from the foregoing that the 
present invention represents a significant advance in 
the field of security devices for limiting access to 
remotely located property. In particular, the invention 
allows a person to obtain access to different properties 
remotely, using a handheld device that verifies its 
owner's identity very reliably, by means of unique bio- 
metric parameters, such as those found in a fingerprint. 
Moreover, the device of the invention is highly resistant 
to reverse engineering, "cloning" and other techniques 
for tampering to obtain access to the protected proper- 
ties. It will also be appreciated that, although a specific 
embodiment of the invention has been described in 
detail for purposes of illustration, various modifications 
may be made without departing from the spirit and 
scope of the invention, which should not be limited 
except as by the appended claims. 

Claims 

1 . Apparatus for automatically verifying the identity of 
a person seeking remote access to a protected 
property, the apparatus comprising: 

a personal identification device having a sen- 
sor, for reading biometric data identifying a per- 
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son seeking access to a protected property, 
storage means, for storing reference biometric 
data identifying a person authorized to have 
access to the protected property, and a correla- 
tor, for comparing the stored reference biomet- 5 
ric data with the biometric data of the person 
seeking access and determining whether they 
match; and 

means for securely communicating identity 
confirmation to a door through a communica- 10 
tion network, wherein the door provides access 
to the protected property upon receipt of the 
identity confirmation. 

2. Apparatus as defined in claim 1 , wherein: 15 

the sensor, the storage means and the correla- 
tor are integrated into a portable communica- 
tion device; and/or wherein: 
the sensor, the storage means and the correla- 20 
tor are all contained in a portable device that is 
connectable to a communication device; and/or 
wherein: 

the protected property is a computer file stored 
in a computer that is remotely located with 25 
respect to the personal identification device; 
and/or said apparatus further comprising: 
a user interface having a first switch to initiate 
operation of the apparatus in a verification 
mode, and a second switch, actuation of which 30 
places the apparatus in an enroll mode of oper- 
ation, wherein biometric data from the sensor 
are stored in the storage means for subsequent 
retrieval in the verification mode of operation, 
and wherein the means for securely communi- 35 
eating identity confirmation preferably includes: 
means for generating a numerical value from 
the stored reference biometric data; 
encryption logic, for encrypting the numerical 
value; and 40 
a communication interface for sending the 
encrypted numerical value to the door, together 
with identification data for the person; 
wherein the door provides the desired access 
to the protected property upon confirming the 45 
transmitted numerical value is the same as one 
previously proveded by the person during a 
registration procedure, and said apparatus 
preferably further comprising: 
a receiver, for receiving an encryption key gen- so 
erated by and transmitted from the door; and 
means for storing a private encryption key in 
the personal identification device; 
and wherein the encryption logic includes 
means for doubly encrypting the numerical 55 
value using the encryption key received from 
the door and the private encryption key. 



3. A personal identification device for automatically 
verifying the identity of a user seeking to use the 
device for access to a remotely located protected 
property, the device comprising: 

a sensor, for reading fingerprint data identifying 
a user seeking access to a protected property; 
a memory for storing a reference fingerprint 
image of the user during an enrollment proce- 
dure and for holding the reference image for 
future use; 

an image correlator, for comparing the stored 
reference image with a fingerprint image of the 
user seeking access, as obtained from the sen- 
sor, and for determining whether the two 
images match; and 

means for securely communicating identity 
confirmation to a door through a communica- 
tion network wherein the door provides access 
to the protected property upon receipt of the 
identity confirmation. 

4. A personal identification device as defined in claim 
3, wherein the means for securely communicating 
identity confirmation includes: 

means for generating a numerical value from 
the stored reference fingerprint image; 
encryption logic, for encrypting the numerical 
value; and 

a transmitter for sending the encrypted numer- 
ical value to the door, together with user identi- 
fication data; 

wherein the door provides the desired access 
to the protected property upon confirming that 
the transmitted numerical value is the same as 
one previously provided by the user during a 
registration procedure; and wherein: 
the means for generating a numerical value 
preferably includes means for generating a 
cyclic redundancy code from the stored refer- 
ence fingerprint image; and said 
personal identification device preferably further 
comprises: 

a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door 
through the commucination network; and 
means for storing a private encryption key in 
the device; 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from 
the door and the private encryption key. 

5. A method for automatically verifying the identity of a 
user seeking access to a remotely located, pro- 
tected computer, the method comprising the steps 
of: 
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sensing biometric data of a user, through a 
sensor that is part of a personal identification 
device carried by the user; 
comparing the sensed biometric data with ref- 
erence biometric data previously stored in the 5 
personal identification device; 
determining whether the sensed biometric data 
match the reference biometric data; 
if there is a match, securely communicating, 
through a communication network, an identity 10 
confirmation to a door that controls access to 
the protected computer; and 
upon confirmation of the identity of the user at 
the door, providing the desired access to the 
protected computer. is 

6. A method as defined in claim 5, and further com- 
prising the step of: 

initiating verification operation of the personal 20 
identification device by means of a manual 
switch; and/or 

wherein the step of securely communicating 
includes: 

generating a numerical value from the stored 25 
reference biometric data; 
encrypting the numerical value; 
transmitting the encrypted numerical value 
over the communication network to the door; 
transmitting user identification data over the 30 
communication network to the door; 
receiving and decrypting the encrypted numer- 
ical value, at the door; 

comparing the decrypted numerical value with 
one previously stored at the door by the user 35 
during a registration process, to confirm the 
identity of the user; and 
if the identity of the user is confirmed, activating 
a desired function to provide access to the pro- 
tected computer. 40 

7. A method as defined in claim 6, wherein the step of 
securely communicating further comprises: 

generating at the door a random pair of door as 
public and private encryption keys; 
transmitting the door public key to the personal 
identification device; 

selecting for the personal identification device a 
pair of public and private encryption keys for all so 
subsequent uses of the device; 
providing the personal identification device 
public key to the door as part of the door regis- 
tration process; and 

storing the personal identification device pri- 55 
vate key secretly in the device; 
and wherein the encrypting step includes dou- 
bly encrypting the numerical value with the 



door public key and the personal identification 
device private key, and 

wherein door preferably performs the additional 
step of: 

decrypting the doubly encrypted numerical 
value using the personal identification device 
public key and the door private key. 

8. A method for a user to obtain access to remotely 
located and protected computer, the method includ- 
ing the steps of: 

placing a finger on a fingerprint sensor in a 
device while approaching the door; 
actuating the device to sense and record a fin- 
gerprint of the user; 

comparing the sensed fingerprint with refer- 
ence fingerprint data previously stored in the 
device; 

upon a successful comparison, transmitting an 
identity confirmation from the device and over a 
communication network to the protected com- 
puter; and 

providing requested access to the protected 
computer upon receipt of an identity confirma- 
tion. 

9. A method as defined in claim 8, wherein the step of 
transmitting and identity confirmation includes: 

encrypting the identity confirmation in the 
device; and 

decrypting the identity confirmation at the pro- 
tected computer. 

10. A method as defined in claim 9, wherein: 

the step of encrypting includes doubly encrypt- 
ing; and 

the step of decrypting includes doubly decrypt- 
ing; and wherein: 

the step of doubly encrypting preferably 
includes first encrypting the identity confirma- 
tion using a public encryption key generated in 
and received from the protected computer and 
then further encrypting using a private device 
encryption key stored in the device; and 
the step of doubly decrypting includes first 
decrypting using a public device encryption key 
provided by the user on prior registration at the 
computer and then decrypting using a private 
encryption key generated in the computer. 
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